Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:29
Static task
static1
Behavioral task
behavioral1
Sample
29fe34455ebd0420bccb5c83c3403a7ea63c87d09f1f4972453cdbca5fd82376.exe
Resource
win10v2004-20241007-en
General
-
Target
29fe34455ebd0420bccb5c83c3403a7ea63c87d09f1f4972453cdbca5fd82376.exe
-
Size
690KB
-
MD5
e201c02c05fa1299cf9780eb03a01ed4
-
SHA1
6f180a8bbcad0261052e21092d7f0e647f3ae0bd
-
SHA256
29fe34455ebd0420bccb5c83c3403a7ea63c87d09f1f4972453cdbca5fd82376
-
SHA512
77bce7745432a01c43e396390a984ef9c5eb2a138430cd92124d7dc4e3c0c2f988e7f86d1c667d4001c9df22d735205ad4d849b2d1c15879d3e97dc245bfed7a
-
SSDEEP
12288:gy901WvSGxXWHFxcA5YHUs/k3mZ0yKoz2rmznc1a3kM3+:gycECA95MkKy2renoa3d3+
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1456-19-0x0000000002260000-0x000000000227A000-memory.dmp healer behavioral1/memory/1456-21-0x0000000002400000-0x0000000002418000-memory.dmp healer behavioral1/memory/1456-33-0x0000000002400000-0x0000000002413000-memory.dmp healer behavioral1/memory/1456-43-0x0000000002400000-0x0000000002413000-memory.dmp healer behavioral1/memory/1456-49-0x0000000002400000-0x0000000002413000-memory.dmp healer behavioral1/memory/1456-47-0x0000000002400000-0x0000000002413000-memory.dmp healer behavioral1/memory/1456-45-0x0000000002400000-0x0000000002413000-memory.dmp healer behavioral1/memory/1456-41-0x0000000002400000-0x0000000002413000-memory.dmp healer behavioral1/memory/1456-39-0x0000000002400000-0x0000000002413000-memory.dmp healer behavioral1/memory/1456-37-0x0000000002400000-0x0000000002413000-memory.dmp healer behavioral1/memory/1456-35-0x0000000002400000-0x0000000002413000-memory.dmp healer behavioral1/memory/1456-31-0x0000000002400000-0x0000000002413000-memory.dmp healer behavioral1/memory/1456-29-0x0000000002400000-0x0000000002413000-memory.dmp healer behavioral1/memory/1456-27-0x0000000002400000-0x0000000002413000-memory.dmp healer behavioral1/memory/1456-25-0x0000000002400000-0x0000000002413000-memory.dmp healer behavioral1/memory/1456-23-0x0000000002400000-0x0000000002413000-memory.dmp healer behavioral1/memory/1456-22-0x0000000002400000-0x0000000002413000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 74222017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 74222017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 74222017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 74222017.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 74222017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 74222017.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3484-61-0x0000000002460000-0x000000000249C000-memory.dmp family_redline behavioral1/memory/3484-62-0x0000000002510000-0x000000000254A000-memory.dmp family_redline behavioral1/memory/3484-82-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-84-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-96-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-94-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-92-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-90-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-88-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-86-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-80-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-78-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-76-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-74-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-72-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-70-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-68-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-66-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-64-0x0000000002510000-0x0000000002545000-memory.dmp family_redline behavioral1/memory/3484-63-0x0000000002510000-0x0000000002545000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1660 un884838.exe 1456 74222017.exe 3484 rk419414.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 74222017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 74222017.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 29fe34455ebd0420bccb5c83c3403a7ea63c87d09f1f4972453cdbca5fd82376.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un884838.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1636 1456 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 29fe34455ebd0420bccb5c83c3403a7ea63c87d09f1f4972453cdbca5fd82376.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un884838.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74222017.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk419414.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1456 74222017.exe 1456 74222017.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1456 74222017.exe Token: SeDebugPrivilege 3484 rk419414.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2276 wrote to memory of 1660 2276 29fe34455ebd0420bccb5c83c3403a7ea63c87d09f1f4972453cdbca5fd82376.exe 83 PID 2276 wrote to memory of 1660 2276 29fe34455ebd0420bccb5c83c3403a7ea63c87d09f1f4972453cdbca5fd82376.exe 83 PID 2276 wrote to memory of 1660 2276 29fe34455ebd0420bccb5c83c3403a7ea63c87d09f1f4972453cdbca5fd82376.exe 83 PID 1660 wrote to memory of 1456 1660 un884838.exe 84 PID 1660 wrote to memory of 1456 1660 un884838.exe 84 PID 1660 wrote to memory of 1456 1660 un884838.exe 84 PID 1660 wrote to memory of 3484 1660 un884838.exe 99 PID 1660 wrote to memory of 3484 1660 un884838.exe 99 PID 1660 wrote to memory of 3484 1660 un884838.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\29fe34455ebd0420bccb5c83c3403a7ea63c87d09f1f4972453cdbca5fd82376.exe"C:\Users\Admin\AppData\Local\Temp\29fe34455ebd0420bccb5c83c3403a7ea63c87d09f1f4972453cdbca5fd82376.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un884838.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un884838.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74222017.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74222017.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 10844⤵
- Program crash
PID:1636
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk419414.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk419414.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1456 -ip 14561⤵PID:2352
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD536119755e2791b7f6de82f0bb03cb6b6
SHA17eb0b2d72eeca8cd26369cd7cf073639b96c9386
SHA256dbee23f409952072c3d65f6226308cde8b75af01ad9f25a48b982e10c311d3dc
SHA51224a3fddd5c1238850d3bb381316622f788cc482c5d24b89fde8b458ba57dd81795287008fd361c9cb82ab29654a9aaa91e81d1f40a71cc0849ca905c2a054e6e
-
Filesize
259KB
MD558ab54dc4649234363e14db8fec2fbfb
SHA177e77898ded46c121113a8a1b73a716c0b955c4a
SHA256636567742c8030a64f5c0e7a7dde6a58da425a3e70c7ec8edd2364ba1951b69e
SHA512e726cac10937ec365aa7403dc5f11afbd6500f5c9588bab14e09e4b83e74a32caeb368f9507f22185de5f6a0d7b23b7b0d4b611d1e42fe4638bb7d01f22ad6c0
-
Filesize
341KB
MD5aa514987e8a4e7be9e1e0d333e66ddf9
SHA1fe325d6d47fb29b846a0467d6817b2791db9cd6f
SHA2565c0762be5835c91982ec8ddcac748bb4f771621720aa872d0d7a550c3326cf5b
SHA5122d8aa6a06266e5151fb3172f4fed4ccb581b1c42f3eb273351421d1f2e4a20305924b7ed2c174c3b6c0e5d01f6895d99ba2c95975abb4d348e7ea34ed6c9bedd